Changeset 60125 for branches/6.8/src/wp-includes/class-wp-application-passwords.php

Timestamp:

04/03/2025 02:36:46 PM (3 months ago)

Author:

johnbillion

Message:

Application Passwords: Correct the fallback behaviour for application passwords that don't use a generic hash.

Application passwords that aren't hashed using BLAKE2b should be checked using wp_check_password() rather than assuming they were hashed with phpass. This provides full back compat support for application passwords that were created via an overridden wp_hash_password() function that uses an alternative hashing algorithm.

Reviewed by audrasjb.
Merges [60123] into the 6.8 branch.

Props snicco, debarghyabanerjee, peterwilsoncc, jorbin, johnbillion.

Fixes #63203

Location:

branches/6.8

Files:

• . (modified) (1 prop)
• src/wp-includes/class-wp-application-passwords.php (modified) (1 diff)

branches/6.8/src/wp-includes/class-wp-application-passwords.php

@@ -503 +503 @@
         string $hash
     ): bool {
+        if ( ! str_starts_with( $hash, '$generic$' ) ) {
+            /*
+             * If the hash doesn't start with `$generic$`, it is a hash created with `wp_hash_password()`.
+             * This is the case for application passwords created before 6.8.0.
+             */
+            return wp_check_password( $password, $hash );
+        }
+
         return wp_verify_fast_hash( $password, $hash );
     }